In the past, Novell, Inc. of Provo, Utah has made available a Secure Authentication Service (SAS) providing Application Program Interfaces (APIs) for secure access to target resources in a computer network, using the security capabilities of industry-standard Secure Sockets Layer (SSL) sessions. Novell's SAS also provides other capabilities, such as user authentication, and graded authentication in conjunction with Novell Modular Authentication Service (NMAS). Graded authentication and computer security are discussed in U.S. patent application Ser. No. 08/802,764 filed Feb. 20, 1997 for a “Computer Network Graded Authentication System and Method”. SSL services in SAS use Novell Public Key Infrastructure (“PKI”), and Novell International Cryptographic Infrastructure (“NICI”) to provide a secure communication channel for applications. Suitable applications include Novell Lightweight Directory Access Protocol (“NLDAP”), Novell's Authentication over SSL in both BorderManager and Internet Caching Services (ICS), Novell's SAA product, and other products from Novell or other vendors.
Applications which sought to provide secure access to resources had to make specific SAS API calls which were separate from the standard transport APIs. For example, as shown in FIG. 1, a Novell or other LDAP application 100 had calls to both a BSD socket API 102 and an SAS API 104. Likewise; to use an SSL service in SAS, a proxy authentication application 106 in BorderManager and ICS had calls to both a Novell Proxy Connection API 108 and the SAS API 104. The connection layers 102, 108 called in turn on a transport layer such as a TCP/IP layer 110. As noted, SAS also provided services for PKI 112 and CCS/NICI 114. The SAS API 104 and the connection layer 102, 108 APIs define an application boundary 116 between applications such as LDAP 100 and proxy authentication 106, on the one hand, and network services for security and transport, and the other hand.
The nature of the application boundary 116 thus defined imposed significant burdens on applications that sought to provide secure access to network resources. Using SAS, an application had to be explicitly aware and involved in all aspects of security procedures, such as SSL handshakes, payload encryption, and payload decryption. Thus, at least a portion of the application had to be written twice for a particular service; once in the regular non-secure fashion and once again to provide that same service securely.
Accordingly, it would be an advance in the art to provide better ways to make SSL or other secure network communication channels available to applications. In particular, it would be an advance to relieve applications of direct responsibility for managing security procedures such as handshakes and encryption/decryption, while still making industry-standard tools such as SSL available for use by the applications.
Such improvements are disclosed and claimed herein.